The public resources of an organization are the most visible from the outside and represent its visible face to customers and suppliers. For this very reason they are the resources most exposed to attack by intruders and therefore the most vulnerable.
The penetration test designed by specialists of S2 Grupo aims to simulate the activity of an alleged attacker who wants to take positions in the resources of the organization. Therefore, the intrusion team will perform the necessary technical tests, from locations outside the customer premises, to verify the safety of the public resources of the organization. The sub-phases of this stage are:
- Test visibility and perimeter security. The intrusion team from S2 Grupo will carry out an inventory of the services publicly accessible on the Internet, in order to determine what would be the main gateways that an intruder would value when attempting an attack against corporate resources within the proposed range. Among the tests to be performed, the intrusion team will verify the correct implementation of access controls at network level (Firewalls and Routers) in order to verify whether a potential intruder would be able to evade the restrictions imposed by these controls and gain more visibility on corporate resources that should be possible from the Internet or external networks beforehand.
- Penetration test. Once obtained the inventory of visible resources from the outside, the intrusion team will conduct a vulnerability audit that will aim to detect deficiencies in design, implementation or deployment that could allow an attacker to gain unauthorized access privileges, and even get full control over the attacked systems.
- Test propagation. Once the vulnerabilities on the visible systems from the Internet have been found and exploited, the intrusion team from S2 Grupo, depending on the possibilities to allow the exploited vulnerability, will try to make a spread to other systems or services, though they were not publicly accessible from the Internet, they do become so after having exploited vulnerabilities in public systems, which would allow an intruder access to systems not previously exposed. This test allows the organization to know the degree of actual risk after each detected vulnerability, and therefore can plan the vulnerability remediation taking into account the real impact its exploitation would have, not just the limited impact of the machine itself that presents the vulnerability.
Logical Security Audit
Depending on the protection objective S2 Grupo designs security audits, focusing on the logical level of protection.
A logical security audit focuses on auditing technical aspects of ICT infrastructure contemplating aspects of architectural design from a security point of view, as well as aspects related to the protection mechanisms deployed to address all kinds of logical incidents.
A logical security audit, therefore, includes the work done by the ethical hacking team from S2 Grupo and develops in its field a test of both external and internal penetration.
Perimeter security audits are thus designed when the TOE (target of evaluation) is the perimeter of the organization. White box or black box audits are designed according to the visibility of the penetration team from S2 Grupo, and even security audits.
Adaptation to the LOPD
The Organic Law on Data Protection is to ensure the care of personal data of people who are part of the different groups of interest in the organization such as: employees, customers, suppliers, etc… that organizations need in order to develop their activity.
It develops through both the Law and its Regulation a series of behavioral guidelines and rules to follow mandatory for each of those involved in the processing of these data.
The adaptation projects to the Data Protection Act and relevant reviews are projects that require both technical expertise in the field of technological security and legal knowledge to determine what data are to be protected and how it must be done in each case.
S2 Grupo, with a mixed technical legal team, has always made adaptations to the LOPD from large organizations, such as the case of Consum, as from small organizations, forging within the company an in-depth knowledge of the matter through the years.
In addition to identifying the personal data that organizations treat, the design policy of data collection, the data collecting forms, contracts with third parties that include specific clauses required by law, the establishment of corporate standards and so on, Article 9 of the Data Protection Act states in paragraph 1:
“The data controller and, where appropriate, the processor, must take the necessary technical and organizational measures to ensure the security of personal data and avoid its alteration, loss or unauthorized access, taking into account the state of technology, the nature of the data stored and the risks they are exposed to, whether from human action or physical or natural environment.”
Royal Decree 1720/2007, of 21 December, approved the Regulations implementing the Data Protection Act, which determines among other aspects, security measures of files containing personal data, regardless of their treatment system. The regulation aims to establish the necessary technical and organizational measures to ensure the safety capacity required by the files, treatment centers, premises, equipment, systems, programs and persons involved in the processing of personal data.
These mandatory measures include the development and implementation of safety standards by a document binding on staff with access to personal data: the security document.
Any organization, responsible for the treatment of personal data carried out by their departments, should define the necessary technical and organizational measures to ensure the protection, confidentiality, integrity and availability of the affected resources.
Therefore, among the jobs to be done, reviewing will be one of them and, where applicable, a proposed amendment of the Security Document of the organization and of the documents comprising it, in order to ensure compliance with RDLOPD documentary requirements.
An example of deliverables in a project to adapt to the LOPD or compliance review of it would be:
- Declaration forms of creation, modification and/or deletion of files before the General Register of the AEPD.
- Model contract with third parties to access data in the provision of services.
- Informative Communication model to third parties processing their data.
- Confidentiality agreement models for different groups whom we collaborate with.
- If an amendment is deemed necessary, a proposed update of the Security Document as data collector for treatments corresponding to personal data.
- RDLOPD compliance report.
- Initiatives plan aimed at improving the level of overall compliance with the Data Protection Act and its Regulations.